httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: [vote] 2.1.9 as beta
Date Wed, 02 Nov 2005 19:41:18 GMT


On 11/02/2005 11:25 AM, Colm MacCarthaigh wrote:
> On Sat, Oct 29, 2005 at 09:09:46PM -0700, Paul Querna wrote:

[..cut..]

> 
>>As a reminder, if you know of any issues you consider a SHOW STOPPER for
>>a 2.2.0 stable release, please add them to the branches/2.2.x STATUS file.
> 
> 
> I'm tempted to suggest the mod_cache Vs mod_authz_host as a
> show-stopper, but since this is going nowhere fast and the only way to

I do not regard this as a showstopper since we only have an admittedly serious
security problem in a *specific* configuration. I think it is enough to add a big
warning to the mod_cache documentation that protecting cached resources with
mod_authz_host does not work as expected. There are many ways to create an insecure
configuration if you do not take care, so this warning should be enough.
Even more as caching seems to me some sort of advanced configuration anyway that
will mostly be done by more experienced people.

> fix it has a veto, the only viable solution may be to remove mod_cache

Just for my remembrance: This was the quick_handler vs. handler issue, correct?
Who actually vetoes this fix? As far as I remember the fix made it configurable
where to run the cache handler (quick_handler / handler), right?

> prior to GA.
> 

If we remove it before GA no one can use it and it would be a large step backward
as

- It makes caching forward proxies impossible (a regression to 1.3 / 2.0.x).
- Is a major drawback for reverse proxy configurations, whose possibilities have been improved
  by large in 2.1
- It would be a large step backward compared to 2.0.x where this problem is also present.

If we leave it in we only have a subgroup of users who cannot use it.
What is more important from my point of view is that we return to a discussion how to solve
this problem and solve the technical concerns expressed in the veto of the fix.


Regards

R├╝diger


Mime
View raw message